Express Mail Label No.: EL659734011US 
Date Mailed: May 22, 2001 



UNITED STATES PATENT APPLICATION 
FOR GRANT OF LETTERS PATENT 



PAUL W. DENT 
JANEZ SKUBIC 
INVENTOR(S) 



SECURITY SYSTEM 



COATS & BENNETT, P.L.L.C. 

P.O. Box 5 
Raleigh, NC 27602 
(919) 854-1844 



Ericsson Ref.: P12563-US1 
C&BRef.No.: P-4015.844 



SECURITY SYSTEM 

BACKGROUND OF THE INVENTION 
The present invention relates generally to security systems to provide security for a 
5 protected function and, more particularly, to a security system that uses a challenge/response 
protocol to provide security for the protected functions. 

Traditional locks employ a key or combination to limit access to property. Presumably, 
only persons with right to access the property will possess the key or combination needed to 
operate the lock. This traditional approach is still widely used. More recently, traditional key 
10 and combination locks have been replaced by electronic locking systems actuated by plastic 
cards with magnetic strips. This type of electronic lock is commonly used in hotels. In this type 
of system, a door handle and electromechanical locking mechanism are integrated with a 
magnetic card reader within a strong metal enclosure. The magnetic card reader reads the 
inserted card, checks for a key code, and actuates the locking mechanism to unlock the door if 
1 5 the correct key code is supplied. 

It is also known in the past to use some sort of identification, such as a PIN code, 
fingerprint, or iris scan, to enable a locking mechanism to unlock a door. One such device is 
disclosed in U.S. Patent No. 6,038,666 to Hsu et a/. This patent discloses a wireless method of 
operating a door lock using fingerprint data. The door lock must first be loaded with fingerprint 
20 data of an authorized user and the user's public cipher key. A mobile device carried by the 

authorized user is also loaded with the same fingerprint data and communicates wirelessly with 
the door lock. The name of the user is transmitted unencrypted to the door lock. The door lock 
generates a random public/private cipher key pair and sends the public key to the user's device. 
The user's device doubly encrypts the fingerprint data using the user device's private key and 
25 the door lock's public key in unspecified order, and transmits the result to the door. The door 
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decrypts the received fingerprint data and compares it with the stored fingerprint data, unlocking 
the door if the fingerprint data matches. 

BRIEF SUMMARY OF THE INVENTION 
5 The present invention relates to a security system providing security for a protected 

function such as unlocking a door. According to the present invention, the protected function is 
controlled by an access control device. Parties authorized to access the protected function use 
a wireless communication device, such as a mobile radio telephone, to communicate with the 
access control device. An authorization code valid for a specified time period is stored in the 

10 wireless communication device. To access the secured function, the authorized party causes 
the wireless communication device to transmit an access request to the access control device. 
The access control device, in response to the access request, transmits an authentication 
challenge to the wireless communication devices. The communication challenge will typically 
comprise at least a random number and may include a time indication. The wireless 

15 communication device generates an authentication response by combining selected portions of 
the authentication challenge (e.g., the random number) with the authorization code stored in its 
memory and transmits the authentication response to the access control device. The access 
control device compares the received authentication response to an expected authentication 
response and enables or activates the protected function if the received authentication response 

20 matches the expected authentication response. 

In one embodiment of the invention, the access control device is connected by a local 
area network to a central controller, which can supply the access control device with appropriate 
authorization codes. The central controller can also change authorization codes when needed. 
In a second embodiment, the access control device is a stand-alone device programmed with a 

25 master code. In this embodiment, the access control device uses the stored master code to 
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compute authorization codes for different time periods. The central controller, with a priori 
knowledge of the master code used by the access control device, can also compute 
authorization codes for any time period. 

The access control system of the present invention may be used, for example, in a hotel 
5 to control access to hotel rooms for predetermined time periods. Those skilled in the art will find 
numerous other uses for the access control system of the present invention. 

BRIEF DESCRIPTION OF THE DRAWINGS 
Figure 1 is a schematic diagram of the wireless door lock system according to the 
10 present invention. 

Figure 2 is a functional block diagram of a wireless communication device used by an 
authorized party to communicate with an access control device. 

Figure 3 is a functional block diagram of a security module which may be used in an 
access control device, wireless communication device, or central controller. 
1 5 Figure 4 is a functional block diagram illustrating one exemplary embodiment of an 

access control device according to the present invention. In this embodiment, the access 
control device is in the form of an electronic door lock. 

Figure 5 is a functional block diagram of a central controller used to issue authorization 
codes to a wireless communication device. 

20 

DETAILED DESCRIPTION OF THE INVENTION 
Figure 1 illustrates a security system, indicated generally by the numeral 10, according 
to the present invention. The security system 10 comprises an access control device 20, a 
central controller 40, and a wireless communication device 100 for actuating protected functions 
25 secured by the access control device 20. In the illustrative embodiment described below, the 
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security system 10 is a wireless door lock system for a hotel and the access control device 20 
comprises an electronic door lock. Therefore, for the remainder of the description, the access 
control device 20 is referred to herein as electronic door lock 20. 

According to the present invention, the wireless communication device 100 is enabled 
5 with an authorization code by the central controller 40. Once enabled, the wireless 

communication device 100 may be used to "unlock" the door. To unlock the door, the wireless 
communication device 100 transmits an access request to the electronic door lock 20 (i.e., 
access control device). The electronic door lock 20 transmits an authentication challenge to the 
wireless communication device 100 in response to the access request. The authentication 

10 challenge includes, at least, a random bitstring or number which cannot be known in advance to 
the wireless communication device 100. The wireless communication device 100 combines 
selected portions of the authentication challenge, including the random bitstring, with the stored 
authorization code using a predetermined combining algorithm to generate an authentication 
response and transmits the authentication response to the electronic door lock 20. The 

1 5 electronic door lock 20 computes an expected authentication response using the same 
combining algorithm. If the received authentication response matches the expected 
authentication response, the door is unlocked to permit access to the hotel room. 

The central controller 40 communicates with the wireless communication device 100 via 
a wireless interface, such as a BLUETOOTH interface, to supply authorization codes to the 

20 wireless communication device 100. Alternatively, the wireless communication device 100 may 
be inserted into a docking station or connected by means of a cable to a standard interface on 
central controller 40 to permit the exchange of data. The central controller 40 may also 
communicate with the electronic door lock 20 to load or change authorization codes for the 
electronic door lock 20. It is not essential, however, that the central controller 40 communicate 

25 with the electronic door lock 20. As will be described below, the electronic door lock 20 can be 
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programmed with a secret master code that is used to compute authorization codes for different 
time periods. With knowledge of this master code and a device number associated with the 
electronic door lock 20, the central controller 40 can compute, at any given time, the valid 
authorization code of the electronic door lock 20. 
5 Communication between the wireless communication device 100 and electronic door 

lock 20 is by means of a wireless interface, such as a short-range RF interface conforming to 
the BLUETOOTH standard. The BLUETOOTH standard enables wireless communication of 
data and voice over short-range wireless links between both mobile devices and fixed devices. 
The BLUETOOTH interface is a universal radio interface in the 2.45 GHz frequency band that 

1 0 enables portable electronic devices to connect and communicate wirelessly via short-range, ad 
hoc networks. Persons interested in various details regarding the BLUETOOTH technology are 
referred to the article entitled "The Bluetooth Radio System" authored by Jaap Haartsen, which 
can be found in the IEEE Personal Communications, February, 2000, the disclosure of which is 
incorporated herein by reference. While the present invention is explained herein with reference 

15 to the BLUETOOTH standard, it is noted that other standards for short-range wireless interfaces 
may also be used. 

The BLUETOOTH standard makes provision for encryption and decryption of data, 
allowing data to be communicated securely. Using the BLUETOOTH standard, the wireless 
communication device 100 can communicate securely with the electronic door lock 20 and 
20 central controller 40 without disclosing secret information. 

Figure 2 is a functional block diagram showing an exemplary embodiment of a wireless 
communication device 100 according to the present invention. In the exemplary embodiment, 
the wireless communication device 100 is a BLUETOOTH-equipped mobile terminal, such as a 
cellular radiotelephone or personal digital assistant (PDA). The wireless communication device 
25 100 comprises a main processor 101, input device 102, display 103, wireless interface 104, 
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battery 105, and a security module 110. Processor 101 controls the operation of the wireless 
communication device 100. An input device 102, such as a keypad or pointing device, allows 
data and commands to be entered by the user. Display 103 enables the user to view 
information, such as device settings and prompts. Wireless interface 104 enables 
5 communication with external devices, such as the electronic door lock 20 and possibly central 
controller 40. Battery 105 supplies power to the wireless communication device 100. Security 
module 110 may contain subscription data needed to activate the wireless communication 
device 100. Additionally, the security module 110 may store security variables, such as public 
and private encryption keys, to facilitate secure transactions. 

10 Figure 3 illustrates the security module 110 in greater detail. Security module 110 

comprises a secure processor 111, program memory 112, data memory 113, random access 
memory 1 14, and I/O interface 115. Security module 110 may optionally include a co-processor 
116 and random noise or bit generator 117. Processor 1 1 1 executes only selected programs 
stored in program memory 112. Data memory 1 13 is used as long-term storage for data 

1 5 generated after manufacture, such as user-specific secret keys. Random access memory 114 
is used as temporary storage during calculations. I/O interface 115 interfaces the security 
module 1 10 with the main processor 101 in the wireless communication device 100. Co- 
processor 116, if present, accelerates certain calculations, such as cryptographic calculations 
involving multiplication, squaring, or exponentiation of long integer values. Random noise 

20 generator 117, if present, provides for one-time generation of public/private key pairs and ad 
hoc authentication challenges, as will be hereinafter described. Co-processor 116 and random 
noise generator 1 17 are not necessary to the implementation of the invention, but may be useful 
for the related aspect of verifying the identity of the user. 

Security module 1 10 may be contained, for example, in a removable smart card. U.S. 

25 patent applications related to the use of smart cards include U.S. Patent Application Serial No. 
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09/695,964 filed October 25, 2000 entitled "Method of Bi-Lateral Identity Authentication Over the 
Internet" and U.S. Patent Application Serial No. 09/696,450 entitled "Method for Establishing a 
Symmetric Cipher Key" filed October 25, 2000, which are incorporated herein by reference. The 
first-mentioned application describes how to use a wireless communication device 100 
5 containing a smart card to mutually establish the identity of two communicating devices and to 
establish a temporary session key for efficient, secure communication between the devices. 
The second application describes a method for securely establishing a secret key and storing 
the secret key in a smart card. The techniques described in these applications can be used to 
verify the electronic identity, including the credit identity of a prospective hotel guest and to 

10 establish a secret key with which authorization codes are transferred from the central controller 
40 to the wireless communication device 100 to be enciphered, thereby preventing interception. 

Figure 4 shows an exemplary embodiment of the electronic door lock 20 in more detail. 
Electronic door lock 20 comprises an actuator 22, control unit 24, internal time clock 26, 
wireless interface 28, network interface 30, security module 32, and battery 34. Wireless 

1 5 interface 28 allows the electronic door lock 20 to communicate with the wireless communication 
device 100. As previously mentioned, wireless interface 28 may be a BLUETOOTH interface. 
Electronic door lock 20 may further include a network interface 30 to connect the electronic door 
lock 20 to the central controller 40 via a local area network in certain embodiments. Network 
interface 30 may be a standard interface for wireline communications, such as a serial interface 

20 or Ethernet interface, or may be a wireless interface. Alternatively, a single wireless interface 
28 may be used for communications with both the wireless communication device 100 and 
central controller 40. Real time clock 26 provides a time reference to control unit 24. The 
electronic door lock 20 may further include a security module 1 10 of the type shown in Figure 3 
that provides secure storage for secret information and performs cryptographic calculations as 
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will be hereinafter described. Power for the electronic door lock 20 is supplied by a battery 34 
or other power supply. 

Figure 5 is a functional block diagram of the central controller 40, which may be located 
at the hotel check-in desk or connected to a check-in station via a local area network. Central 
5 controller 40 typically comprises any type of personal or desktop computer having a processor 
41, input device 42, display 43, clock 44, network interface 45, and security module 110. 
Central controller 40 may further include an interface 46, such as a wireless interface, for 
communicating with the wireless communication device 100 carried by the customer. Operation 
can be restricted only to authorized staff by normal log-in procedures using passwords, etc. 

10 Operation of security programs can be further protected by the use of reverse passwords 
originating in the security module 110 as described in U.S. Patent Application Serial No. 
09/727,062 filed November 30, 2000 entitled "Anti-Spoofing Password Protection," which is 
incorporated by reference herein. This application describes a method to protect against false 
displays inviting the user to enter passwords, which would then be conveyed innocently to an 

1 5 unauthorized party. 

Security module 1 10 is typically contained in a secure, tamper-proof package and may 
be of the type illustrated in Figure 3. Security module 110 may store secret information used to 
derive authorization codes as hereinafter described, as well as public and private keys used for 
encryption and decryption. Network interface 45, such as an Ethernet interface, connects the 

20 central controller 40 to a local area network within the hotel, which may provide the means for 
communicating with the electronic door lock 20. The local area network may further include a 
gateway (not shown) for communicating with external networks, such as the Internet. Wireless 
interface 46 may, for example, comprise a BLUETOOTH interface which allows short-range 
communication and ad hoc networking with other devices. Central controller 40 may 

25 communicate with the wireless communication device 100 via wireless interface 46. 
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Alternatively, wireless interface 46 may be replaced by a standard interface, such as a serial 
interface or USB interface. 

According to a first implementation of the invention, electronic door locks 20 of a hotel 
are supplied with an authorization code by the central controller 40. The authorization code can 
5 be supplied to the electronic door lock 20, for example, when the hotel guest checks in. The 
authorization codes are customized to a particular door or doors and to particular dates or 
times. Typically, one code is issued for each door for each authorized time period (e.g., day, 
week). However, the same code may be issued for multiple doors. The central controller 40 
may also provide the electronic door lock 20 with a time indication to indicate the period during 

1 0 which the authorization code is valid. The central controller 40 may use an enciphered 

communication channel based on a secret, symmetric key to communicate with the electronic 
door lock 20 to secure communications against interception. The cipher key may be a 
symmetric key known only to the hotel or, alternatively, a public/private key pair may be used for 
encryption and decryption. 

15 In a second embodiment, no communication is necessary between the electronic door 

lock 20 and the central controller 40 after installation of the electronic door lock 20. The 
electronic door lock 20 is programmed with a master code, a device identifier (which may, for 
example, be the door number), and an initial value for its internal clock 26. Each electronic door 
lock 20 may generate a new authorization code at a specified check-out time, as determined by 

20 its internal clock 26 by combining the master code with its device identifier and the date using a 
predetermined combining algorithm. The central controller 40 can also generate an 
authorization code for any door and date by combining the same input variables using the same 
combining algorithm, which it may then supply to the guest's wireless communication device 
100. 
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In use, a hotel guest bearing a wireless communication device 100 presents himself at 
the hotel check-in desk. If the wireless communication device 100 includes a BLUETOOTH 
interface, the wireless communication device 100 may already have established 
communications with the central controller 40. The details of how communications are 
5 established between two BLUETOOTH devices are not material to this invention and are not 
discussed further herein. Through use of encryption technology, the BLUETOOTH interface 
provides a secure communication channel between the wireless communication device 100 and 
central controller 40. During the check-in procedure, the guest may be asked for the electronic 
equivalent of a credit card for billing purposes. The central controller 40, under the direction of 

1 0 the hotel employee, transmits a credit ID request to the guest's wireless communication device 
100. The central controller 40 and wireless communication device 100 may then execute an 
authentication procedure as described in U.S. Patent Application Serial No. 09/696,450. The 
purpose of the authentication procedure is to establish or authenticate the credit identity of the 
guest. The authentication procedure may incorporate a key-establishment procedure to 

1 5 establish a session key for further communications. Upon authentication of the claimed credit 
identity, the central controller 40 transmits authorization code(s) and possibly associated time 
indications to the wireless communication device 100, which may be enciphered using the 
agreed-upon session key. Time indications may be needed when multiple authorization codes 
for different time periods are transferred so that the wireless communication device 100 will 

20 know which code to use for any given time period. 

The authorization codes and session key are stored in the wireless communication 
device 100. The authorization codes and session key may, for example, be stored in tamper- 
proof memory within security module 1 10 or in protected form in memory 113. One method of 
protecting an authorization code stored in an insecure memory is to delete selected digits of the 

25 authorization code based on a PIN code supplied by the user. The authorization code, in this 
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case, is not operative to unlock the door unless the PIN code, known only to the user, is 
supplied to fill in the missing digits of the authorization code. 

The guest's wireless communication device 100, now programmed with one or more 
authorization codes and associated time indications, may be used to unlock a hotel door 
5 equipped with the electronic door lock 20 of the present invention. The wireless communication 
device 100 transmits an access request to the electronic door lock 20 to unlock the hotel door. 
The access request may include a device identifier that addresses the particular electronic door 
lock 20 (e.g., "358" for room 358). The device identifier may address multiple electronic door 
locks 20 using a group identifier as will be hereinafter described. Upon receipt of the access 

1 0 request, the electronic door lock 20 generates an authentication challenge in security module 
110. Alternatively, the electronic door lock 20 may receive an authentication challenge from the 
central controller 40 specific to that particular electronic door lock 20 and transmit the 
authentication challenge to the wireless communication device 100. The authentication 
challenge transmitted by the electronic door lock 20 may comprise a locally-generated random 

15 bitstring or number obtained from a random noise generator 117, which may be located in the 
electronic door lock 20 or accessible via a local area network. The authentication challenge 
may further include the current time indication, which can be supplied by either the central 
controller 40 or by a clock 26 internal to the electronic door lock 20. 

Upon receipt of the authentication challenge, the wireless communication device 100 

20 combines at least the random bitstring of the authentication challenge with the appropriate 
authorization code for the current time period to form an authentication response. The time 
indication in the authentication challenge (if present) may be used by the wireless 
communication device 100 to select the appropriate authorization code from a plurality of codes, 
or the wireless communication device 100 may use a time indication provided by an internal 
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clock (not shown). Wireless communication device 100 transmits the authentication response 
to the electronic door lock 20. 

The electronic door lock 20 compares the received authentication response with an 
expected authentication response calculated by the electronic door lock 20 or supplied by the 
5 central controller 40. If the received authentication response matches the expected 

authentication response, the electronic door lock 20 actuates the electronic locking mechanism 
22 to unlock the door. 

The authorization code supplied by the central controller 40 to the wireless 
communication device 100 may comprise a combination of secret master codes with at least a 

10 time indication indicating the time period during which the authorization code is valid. The user 
of the wireless communication device 100 is, therefore, unable to produce authorization codes 
for a time period of the user's choosing, since the user does not possess the secret master 
code. Optionally, the device identifier may be used to generate the authorization code and/or 
authentication response. The device identifier may be combined by the central controller 40 

15 with the secret master code and time indication to generate the authorization code. Similarly, 
the device identifier may be combined by the wireless communication device 100 with the 
authorization code and selected portions of the authentication challenge to generate the 
authentication response. Using a device identifier to generate the authentication response in 
wireless communication device 100 may be done when the hotel uses different master codes to 

20 produce authorization codes for different doors. If the same master code is used to generate 
authorization codes for all doors, then the wireless communication device 100 could open any 
door by substituting a user-supplied device identifier when calculating the authentication 
response, which is not desired. 

A privileged user, such as hotel staff, may receive a wireless communication device 100 

25 programmed with a master authorization code to open any door. A master authorization code is 
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one that opens two or more doors. Such a master authorization code is generated by the 
central controller 40 using the master code and a group identifier. The master authorization 
code may also be generated based on a time indication associated with a desired time period. 
A group identifier is a code that addresses more than one electronic door lock 20. For example, 
5 the bitstring for "353" may address electronic door lock for room 353. The bitstring for "35-" 
(where - represents a blank digit) may be used to address electronic door locks for rooms 350 - 
359. The bitstring for "3--" may be used as a group identifier for all rooms on the third floor, and 
the bitstring for "— " may be used as a group identifier for all rooms in the hotel. 

To use a master authorization code, the wireless communication device 100 transmits a 

1 0 group identifier to the electronic door lock 20 as part of an access request. The access request 
may be addressed to a specific electronic door lock 20 to prevent other electronic door locks 20 
within range of the wireless communication device 100 from actuating. For example, the access 
request to the electronic door lock 20 for room number 303 could comprise the string 303 3~ 
encoded into bits to indicate to the electronic door lock 20 that the authentication response will 

15 be based on a master authorization code for the group comprising all third floor rooms. 

Likewise, an access request to the electronic door lock 20 for room 358 would include the string 
358 3--. The electronic door lock 20 would respond with an authentication challenge and the 
privileged user's wireless communication device 100 would calculate an authentication 
response with that user's master authorization code. The master authorization code is 

20 computed by the central controller 40, using the group identifier in place of a device identifier. 
That is, the group identifier is combined with the master code and, possibly, a time indication. 
The electronic door lock 20 computes an expected authentication response based on the 
master authorization code for the designated group and compares the authentication response 
received from the privileged user's wireless communication device 100 with the expected 

25 authentication response. Upon a match, the door would be unlocked. 
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The method described above would unlock any door for rooms beginning with the 
numeral "3," and, therefore, provides a master key for rooms on the third floor, for example. A 
universal master key could be computed by hotel security equipment based on the master code, 
a time indication, and the bit pattern for — which references any door. When a door is opened 
5 by such master keys, the door lock's internal clock 26 can be reset to a time conveyed from the 
privileged user's wireless communication device 100 by transmitting a reset command so that 
any drift or inaccuracy is corrected to the exact hotel time. 

The method of combining hotel secret data with time indication, device identifiers, or 
other variables to produce authorization codes and, likewise, the method of combining 

1 0 authorization codes with selected portions of authentication challenges, either in the wireless 
communication device 100 or the electronic door lock 20, uses a non-reversible function. The 
purpose of a non-reversible function is to render impossible or impractical the determination of 
the master code or authorization code given the output of the function and all other non-secret 
input variables. Likewise, the non-reversible function renders impractical the generation of 

1 5 authorization codes for another door or time period given the authorization codes for one door 
or time period, or given the authorization code for many other doors and/or time periods. A 
good combination algorithm having the desired properties is described in U.S. Patent No. 
5,091,942, which is hereby incorporated by reference. Typically, such a non-reversible function 
is provided by using a block cipher, using the secret data at the key input, and other data bits as 

20 the "data to be encrypted" input. The block cipher, known as DES, may be used, for example, if 
the security provided by 56-bit secret keys is judged adequate. Otherwise, the iterative block 
cipher described in the above patent may be extended to any desired key or variable length. 

Despite the security provisions described above, sophisticated criminals can attempt to 
fraudulently gain access to a hotel room by luring an individual with an authorized wireless 

25 communication device 100 to request access to the room, relaying the access request to the 
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electronic door lock 20, relaying the authentication challenge from the electronic door lock 20 to 
the authorized user's wireless communication device 100, and relaying the authentication 
response received from the authorized user's wireless communication device 100 to the 
electronic door lock 20. For example, two fraudulent parties may collaborate to lure a hotel 
5 guest to remotely unlock his hotel room door so that they can commit theft. One fraudulent 
party, equipped with a modified wireless communication device, may loiter near a door he 
wishes to unlock, while the other, having a second similarly-modified wireless communication 
device 100, engages the unsuspecting guest in a conversation. The second fraudulent party 
lures or tricks the guest into demonstrating how the wireless communication device 100 is used 

1 0 to unlock a door. Thus, the guest may be lured into transmitting an access request to open the 
door, which request is received by the second fraudulent party's wireless device and 
immediately relayed to the first fraudulent party. The first fraudulent party's wireless device 
retransmits the access request to the electronic door lock 20 at close range and receives in 
return an authentication challenge, which is relayed to the second fraudulent party. The 

1 5 wireless device of the second fraudulent party retransmits the authentication challenge to the 
guest's wireless communication device 100. The guest's wireless communication device 100 
may respond with the correct authentication response, which is then received by the second 
fraudulent party's wireless device and relayed to the first party. The wireless device of the first 
fraudulent party may then retransmit the authentication response to the electronic door lock 20, 

20 thereby gaining access to the guest's hotel room. Such fraud may be perpetrated even though 
the guest may be miles away from the hotel. 

There is no way for the guest's wireless communication device 100 to distinguish a 
relayed authentication challenge from a direct challenge from the electronic door lock 20 based 
on signal characteristics. The authentication challenge transmitted by the electronic door lock 

25 20 may be reproduced exactly and relayed to the guest's wireless communication device 100 



15 



Ericsson Ref.: P12563-US1 
C&BRef.No.: P-40 15.844 

over long distances. Likewise, there is no way for the electronic door lock 20 to distinguish a 
relayed authentication response from a direct response based on signal characteristics. Thus, a 
protocol should be implemented to hamper such fraudulent attempts. The following safeguards 
may be incorporated to hinder fraud with the unwitting aid of an authorized wireless 
5 communication device 100. 

1 . The authorized wireless communication device 100 should not respond to an 
authentication challenge unless it has first been caused by the user to transmit an access 
request. 

2. The authorized wireless communication device 100 should not automatically 
10 respond to an authentication challenge unless the user indicates that it should do so, for 

example, by pressing a "yes" key in response to a prompt from the wireless communication 
device 100. 

3. The authorized wireless communication device 100 should not transmit an 
access request until the user has entered a security code, such as a PIN code. Alternatively, 

15 during a preamble in the protocol for initially establishing communication with the electronic door 
lock 20, the user may be requested to enter a security code at a suitable point before 
continuing. 

4. The authorized wireless communication device 100 can display an indication that 
communication has been established with the electronic door lock 20, which would be a surprise 

20 to the user if the user was miles away from the hotel. 

5. The electronic door lock 20 can place time delay limits on the receipt of an 
authentication response after issuing an authentication challenge, short enough to hinder 
attempts to relay the authentication challenge to a remote authorized device. An authentication 
response calculation algorithm could be designed so that no partial calculation can usefully 

25 commence until receipt of the last bit of the challenge to be transmitted. The authentication 
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response should be calculated as fast as possible and transmitted as soon as possible 
thereafter, thus allowing the smallest delay limits to be specified and imposed. 

6. The BLUETOOTH frequency-hopping communication protocol inherently hinders 
attempts at fraud by being set up to uniquely, for each link, employ an ad hoc, random 
5 frequency sequence. If necessary, the electronic door lock 20 and the authorized wireless 
communication device 100 can make the authentication response depend in some way on a 
parameter describing the frequency-hopping sequence. This procedure would require the 
fraudulent devices to introduce essentially zero delay, which is very difficult when they must 
operate bi-directionally using time division duplex. 

1 0 With any or all of the above safeguards, the guest can be protected against unwittingly 

opening his door from a remote location. 

The above invention has been described with respect to a typical application in the hotel 
business in which temporary guests are awarded access to rooms for a specified period. 
However, the invention may be used in any circumstances in which a person or device is 

15 required to be authorized to perform functions, gain physical access to areas or gain electronic 
access to information, and the authorization may be controlled by an authorizing party, including 
limiting the area or time period to which such authorization is granted. Such variations of the 
invention fall within the scope of the invention as described by the attached claims. 
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